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Abstract — Smart grid, equipped with modern communication 
infrastructures, is subject to possible cyber attacks. Particularly, 
false report attacks which replace the sensor reports with fraud 
ones may cause the instability of the whole power grid or even 
result in a large area blackout. In this paper, a trustiness system 
is introduced to the controller, who computes the trustiness of 
different sensors by comparing its prediction, obtained from 
Kalman filtering, on the system state with the reports from 
sensor. The trustiness mechanism is discussed and analyzed for 
the Linear Quadratic Regulation (LQR) controller. Numerical 
simulations show that the trustiness system can effectively combat 
the cyber attacks to smart grid. 



I. Introduction 

In recent years, smart grid has attracted significant interest 
in both communities of communications and power systems 
1151. In a smart grid, modern communication technologies are 
used to convey information like system parameters (voltage, 
frequency, harmonics, etc) and power consumption informa- 
tion in order to improve the robustness, agility and efficiency 
of power grid. For example, as illustrated in Fig. Q] phasor 
measurement units (PMUs) send report to the power plant 
which takes actions to stabilize the power grid. 

However, the communication infrastructure also brings vul- 
nerability to the smart grid. An attacker can attack the com- 
munication links using various approaches such as jamming 
in the physical layer and Byzantine attack in the upper layers. 
The attack could result in delay or drop of report packets. The 
attacker may revise the report such that the received report 
is wrong, thus possibly incurring system instability and even 
large area blackout which brings the loss of millions of dollars. 
Therefore, a secure design of smart grid is in a pressing need. 

In this paper, we study the trustiness framework based 
secure control in smart grid. We assume that each report could 
be substituted by a false report from an attackeo Instead 
of studying the security protocols in the communication net- 
works, which has been intensively studied for data networks 
like Internet, we focus on the controller side, i.e., the power 
plant, which is aware of possible attacks. The controller can 
predict the future system state and then evaluate the trustiness 
of reports from different PMUs. Based on these trustiness, the 
controller takes a corresponding control strategy, e.g., dropping 
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1 For the packet delay or loss, many techniques have been developed in the 
area of networked control, e.g., the LQR control subject to packet losses |8|. 
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Fig. 1: An illustration of the secure control system in smart 
grid. 



untrusted packets. The trustiness will also be fed back to the 
PMUs such that the PMUs can adjust their security setups 
(e.g., the keys or the cryptography protocols). The system is 
illustrated in Fig. Q] For example, the reports from PMU A 
is attacked by the attacker. Then, the trustiness of the reports 
from PMU A is reduced, which may make the controller drop 
the corresponding reports. Meanwhile, PMU A may change 
its key or use a more secure protocol when it finds out that 
its trustiness has been significantly decreased. 

Note that the reliability issues for control systems have 
been considered in supervisory control and data acquisition 
(SCADA) standard (TO]. However, SCADA is mostly fo- 
cused on the reliability subject to random failures, instead 
of malicious attacks. There are some studies on the control 
systems subject to malicious attacks |[2) |@) J5). |@) and 10 
introduce general problems and approaches for secure control 
without exploring the details. (0 is focused on the control 
system subject to denial-of-service (DoS) attacks, thus mainly 
addressing the packet delays or losses. There have not been 
any studies on combating the proofing attacks, particularly, 
applying the trustiness framework in the secure control. 

Note that the trustiness system has been widely used in 
information systems, e.g., J6]] ifTTI . However, they are not 
designed for control systems. The unique system dynamics of 
the control system can be exploited to build the corresponding 
effective trustiness. In this paper, we apply Kalman filtering 
to predict the system state using different combinations 
of PMU reports, thus realizing a cross-check of the report 
trustiness. 

The remainder of this paper is organized as follows. The 
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system model of the controller and communication infrastruc- 
ture is introduced in Section|II] A mechanism of evaluating the 
trustiness of different PMUs is proposed in Section [III] The 
numerical simulation results and conclusions are provided in 
Sections [IV] and |V] 

II. System Model 

In this section, we first introduce the linear system model 
for power grid. Then, we explain the LQR criterion of the 
control. 



A. Linear System 

We model the dynamics of power grid as a discrete-time 
linear system^, whose dynamics are given by 



x(f + 1) = Ax(£) + Bu(i) 
y(t) = Cx(i) + n(t), 



w(t), 



(1) 



where x is an iV-vector and represents the system state of the 
power grid, y is an M-vector representing the observations 
and u is the action taken by the controller. The matrices 

A, B and C are specified by the system. Both w(t) and 
n(t) are Gaussian noise. For simplicity, we suppose that each 
dimension of the observation vector y is sensed by a PMU. 
It is easy to extend to the general case in which the sensor 
reports have overlaps. Each PMU sends its observations to 
the controller via a communication channel since they are not 
located at the same place as the controller. 

We use the following assumptions throughout the paper: 
> Each report can be successfully received by the controller 
if there is no attack. This is reasonable for communica- 
tion channels with good qualities. For the practical case 
of occasional packet drop, the control strategy can be 
obtained by considering the corresponding element in the 
observation matrix C as zero. 

• Each report could be replaced with a false report by 
an intervening attacker. The attacker could intercept the 
report and insert its own one. However, we assume that 
not all reports are replaced. 

• For simplicity, we assume that there is at most one 
attacker. The principle of the trustiness system can be 
extended to the case of multiple attackers at the cost of 
more computational cost. 

B. LQR Control 

When there is no attacker, we assume that the controller 
adopts the LQR control [7| with an infinite time horizon with 
the cost function given by 



J = E 



.4=1 



/3* (x T (t)Qx(t)+u T (t)Pu(i)) 



(2) 



where Q and P are positive definite matrices. The physical 
meaning of the objective function is given below: 

2 Although power grid is usually nonlinear, it can be approximated by a 
linear system in the small perturbation case. 
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Fig. 2: An illustration of the Kalman filtering based trustiness 
evaluation. 



• The term x T (i)Qx(t) is the norm (with respect to the 
positive definite matrix Q) of the system state vector. 

• The term u T (t)Pu(t) is the norm of the action vector 
with respect to the matrix P, which represents the cost 
due to the action itself. 

Based on the cost function in (0, the LQR action u(t) is 
given by 



u(t) = -~Lx(t), 



(3) 



where x(t) is the estimation of the system state fed back from 
a state estimator which will be explained later, and 



(B T SB 



B J SA, 



(4) 



and the matrix x satisfies the algebraic Riccati Equation, which 
is given by 



(B T SB 



SB 



pr x B T s 



Q 



(5) 



III. Trustiness Evaluation 



In this section, we propose a mechanism for evaluating 
the trustiness of each sensor. The essential reason that the 
controller can evaluate the trustiness of each sensor is that the 
controller can predict the future state with some uncertainty. 
If the report from a sensor is significantly deviated from the 
prediction, then the controller can consider this sensor as 
unreliable and ignores its reports. The basic principle is to 
evaluate the trustiness of each PMU by comparing its report 
with the prediction obtained from the reports of other N — 1 
PMUs. The procedure is illustrated in Fig. [2] 

A. System State Prediction 

In each time slot, the controller can predict the system state 
in the next time slot, i.e., x(t + 1), according to its own action 
u(t) and the current system state x(t). Since it is possible that 
there is one attacker, the controller computes N predictions by 
excluding one sensor in each prediction. 

The Kalman filtering can be applied for the system state 
estimation. According to [9|, the system state x(t + 1) is 
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Gaussian distributed. When the observation y n from PMU n 
is excluded, the expectation of the system state is given by 

x"(i+l|t) = A t x n (t\t), (6) 

where 

x»(t|t) = x»(i|t - 1) + K»(t) (y - Cx(t|f - 1)) , (7) 

where C n is obtained by removing the ?i-th row from the 
observation matrix C, and 

K n (t) = S(t|t - 1) (c"S ,i (i|t-l)(C n ) T + ( 72l) _1 , (8) 
and covariance matrix given by 

E"(*|t) = S n (t|i - 1) - K?C n (t)£(t|i - 1), (9) 
where 

+ = A£"(i|t)A T + BQB T . (10) 

B. Trustiness Computation 

Using the prediction obtained from the reports of PMUs 
except PMU n, the a posteriori probability of y n (t), i.e., 
p(y n (t)\y- n (0 '■ t)) (here y_„ means the observations ex- 
cluding that of PMU n), is Gaussian distributed with the 
expectation given by 

u n (t) = c n x"(t|t), (11) 

where c„ is the n-th row in matrix C, and variance 

a n (t) = c n -E n (t\t)cl. (12) 

We denote by T n the type of PMU n. T n = A if PMU n is 
an attacker; otherwise T n = H. Then, we define the suspicious 
level of PMU n as the following conditional probability, which 
is given by 



7r n (t) = P(T n = A\y(0 : *)). 



(13) 



The trustiness can be defined as 1 — ir n (i). 

The challenges for computing the suspicious level is the 
unknown attacking strategy We first assume that there must 
be an attacker. Using the Bayesian rule, we have 



P(y{Q:t)\T n = A) 

J2l=iP(y(0--t)\Tm = A) 
1 



i + E 



P(y(0:t)\T m =A) 
m^n P(y(0:t)\T n =A) 

1 



1 



V Ul =0 P(y(s)\T m =A) 

^rn^n T^ =0 P(y(s)\T n =A) 



(14) 



where the last approximation is obtained by decomposing 
the joint distribution into the product of the probabilities in 
each time slot. Note that this approximation is not rigorous. 
However, it simplifies the computation and the validity will 

3 It is possible that an attacker is captured and the strategy is known to the 
defender side. However, such an assumption is too strong for most systems. 



be demonstrated in the numerical simulations. We do the 
following further simplification: 



P(y(s)\T n =A) 



P{Vn{s)\T n — A) 
]JP(y k (s)\T k = H), (15) 



by assuming the independence among the PMUs. Although 
this assumption does not hold, it simplifies the analysis. We 
further assume that P(y n (s)\T n = A) is a constant since we 
have no knowledge about the attacker's strategy. Substituting 
the approximation in $15[ into ( TBI , we obtain 



7Tn(*) 



It 



s=0 P(y n (s)\T n =H) 



rr* 1 

Z^m=llls=0 P{y m (s)\T m =H) 



(16) 



We then approximate the probability P(y n (s)\T n = H) by 
N{u n {t),a n (t)). 

When it is possible that there is no attacker, it is easy to 
repeat the above procedure and obtain the following approx- 
imation for the suspicious level of PMU n, which is given 
by 

If 

7Tn(*) 



s=0 P(y n (s)\T n =H) 



(17) 



T 4- V JV TT i ' 

^ ' l^m=l lls=0 P(y m (s)\T m =H) 

where L represents the a priori likelihood that there is no 
attacker, which is given by 



L 



P(there is no attacker) 
P (there is one attacker) 



(18) 



Obviously, the large L is, the less sensitive the controller is to 
possible attackers. 

C. Secure Control Based on Trustiness 

One approach to handle the attacker is to omit its reports 
once determining that it is an attacker. Alternatively, we 
propose a heuristic approach for the control based on the 
trustiness values, called weighted prediction. Suppose that we 
still use the LQR control. Then, the control action taken at 
time t is given by 



u(t) = -Lx(t,{P(T n = J 4|y)}J, 



(19) 



where the system state estimation is a function dependent on 
the suspicious levels of different PMUs. We set 



Zn=iP(Tn = A)\y)^(t) 



±(t,{P(T n = A\y)} n ) 



En=iP(Tn=A)\y) 

where the estimation is the weighted sum of the system state 
estimations of different excluded PMUs. When the suspicious 
level of PMU n is high, the corresponding system state 
estimation x n (t), which excludes the reports from PMU n, 
will dominate (recall that x n (t) is obtained by excluding the 
reports from PMU n). 

D. Algorithm Summary 

The proposed algorithms are summarized in Procedure Q] 



, (20) 
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Procedure 1 Procedure of The Trustiness Computation and 
Control 

1: for Each time slot t do 

2: for PMU n, n = 1,2, ...,N do 

3: Exclude the report from PMU n, i.e. y n (t). 

4: Carrying out the Kalman filter for the observation with 
Unit) excluded. 

5: Compute the expectation and variance using (TT) and d 12b . 

6: Compute the corresponding probability P(y m {s)\T rn — 

H). 
7: end for 

8: Compute the suspicious levels. 

9: Apply the weighted system state estimation for the LQR 

control. 
10: end for 



IV. Numerical Simulations 

In this section, we use numerical simulations to demonstrate 
the proposed trustiness system in smart grid. 



A. Linear Model 

We adopt the linear model analyzed in Example 6.2 of 
(T), in which the system is described using the following 
continuous-time linear dynamics: 



x(t) = -M^Kx - M + w, 
where the matrix M is given by 



(21) 
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and the matrix K is given in (|21~1 i (at the top of the next 
page). The details of the model can be found in (T). 

Since we discuss the discrete-time model in this paper, we 
approximate the continuous-time model by setting a small time 
step At, which is given by 

x((n + l)At) - x(nAi) 
At 

« — M -1 Kx(nAi) - M^uinAt) + w(nAt). (22) 
Therefore, we assume the following discrete-time model: 

x(n + 1) 



(I - AiM -1 K) x(n) 
AiM _1 u(n) + Aiw(n) 



(23) 



where we ignore the step At in the index. 

We assume that the PMUs can observe the system state 
directly, i.e., C = I, each PMU for one dimension. We further 
assume that PMU 1 is malicious while all other PMUs are 
honest. 
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Fig. 3: The trace of suspicious level of the attacker and two 
honest PMUs: random report case. 
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Fig. 4: The trace of suspicious level of the attacker and two 
honest PMUs: deliberate noise case. 



B. Evolution of Suspicious Level 

In Figures [3] and [4] the evolution of the suspicious level 
is shown for the attacker and two honest PMUs. In Fig. 
[3] we assume that the report of the attacker is a Gaussian 
random variable with zero mean and variance 0. 1 . The attacker 
decides to attack or not to attack with probability 0.2 (called 
attack frequency). We observe that there is some fluctua- 
tion at the beginning. Then, at the times when the attacker 
launches attacks, the suspicious level of the attacker increases 
significantly. After around 80 time slots, the attacker can be 
well distinguished from the two honest PMUs. In Fig. |4] we 
assume that the attacker attaches a Gaussian noise with zero 
expectation and variance 0.1 to the observation. The attack 
frequency is increased to 0.5. We observe that the suspicious 
level increases more smoothly. 

C. Detection Delay and False Alarm 

In Fig. [5] we plot the cumulative distribution function (CDF) 
curves of the time when the controller claims that an attacker 
is detected. We assume that the controller claims the attacker 
when the suspicious level is larger than 0.7. The cases of false 
alarms are excluded (note that a false alarm is defined as 
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Fig. 5: CDF curves of the time of claiming the detection. 
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Fig. 6: ROC curves (detection delay and false alarm) for 
different attack frequencies. 



the event that a honest PMU is claimed to be an attacker). 
We change the attack frequencies from 0.1 to 0.3. The linear 
system runs for 200 time slots. We observe that, when the 
attack frequency is 0.1, the attacker is not detected within the 
200 time slots in around 40% cases. When the attack frequency 
is increased, the attacker will be detected faster. 

In Fig. [6] we plot the receiver operation characteristic (ROC) 
curves, which show the average delay of detection (excluding 
the false alarms) and false alarm rate. The attack frequencies 
are 0.2 and 0.4, respectively. Again, we use the threshold of 
0.7 for the suspicious level. Obviously, the detection delay 
increases when the attack frequency becomes larger with a 
fixed false alarm rate. 



D. Comparison of Cost 

In Figures [7] and [HJ the cost averaged over 2000 time slots 
and 100 realizations is shown. We assume that Q = I and 
P = 0.011 in ©, i.e., we pay much more attention to the norm 
of the system state. We compare the costs using the weighted 
system state estimation in Section [Til] and the system without 
any counter measure for the attacker (i.e., full trust to each 
PMU). 

In our test, we found that a small amplitude attack (e.g., the 
attacker uses the same attack as in Fig. [5]l causes very small 
impact on the system. This is because that the Kalman filter 
has certain inherent robustness since the attack can be partially 
mitigated by observations from other PMUs. Therefore, we 
assume that the report of PMU1 is the sum of the original 
report and a strong noise with a large variance, which is 
called attack amplitude. In Fig. |7J we assume that the attack 
amplitude is 100 and change the attack probabilities. We 
observe that, as the attack probabilities increases, the average 
cost of the full trust case is significantly increased. Meanwhile, 
the total cost is decreased as the attack frequency increases. A 
possible reason is that a higher attack frequency may cause 
a more rapid degradation of the trustiness of the attacker. 
The total cost is also shown for different attack amplitudes in 
Fig. [8] Again, the total cost increases as the attack amplitude 
is increased in the full trust case. In a contrast to Fig. [7] 
the average cost of the weighted system state case is not a 
monotonic function of the attack amplitude. The reason could 
be: when the attack amplitude is small, the attacker causes 
little damage to the system; when the amplitude is large, the 
controller can detect the attacker early and avoid the cost in 
later time slots. 

V. Conclusions 

In this paper, we have analyzed the possible spoof attack 
on the smart grid system, in which the attacker can intercept 
and true report and send its faked report to the controller, 
which can cause severe damage to the power grid. We have 
proposed a trustiness system for the controller, in which 
multiple Kalman filtering processes, with each PMU excluded, 
are used to cross check the suspiciousness of each PMU. The 
suspicious levels are then used as weights for the system state 
estimation for the LQR control. Numerical simulations have 
shown that the attacker can be effectively detected and the 
weighted system prediction approach significantly outperforms 
the system unaware of possible attacks. 

Our future work includes the following aspects: 

• The multiple attacker case. 
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Fig. 8: The average cost versus different attack amplitudes. 



> The optimal attack strategy of the attacker against the 
proposed trustiness system. 
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